Git .netrc File Authentication Issue on Ubuntu: Why GitHub Still Prompts for Credentials & How to Fix It

If you’ve set up a .netrc file to automate Git authentication with GitHub on Ubuntu, but GitHub still prompts for your username and password, you’re not alone. The .netrc file is a powerful tool for storing credentials to streamline HTTP/HTTPS-based Git operations, but misconfigurations, outdated practices, or conflicting settings often derail its functionality.

In this blog, we’ll demystify why GitHub continues to ask for credentials despite a .netrc file, break down the root causes, and provide step-by-step solutions to fix the issue. Whether you’re a developer, DevOps engineer, or hobbyist, this guide will help you achieve seamless, password-less Git interactions with GitHub on Ubuntu.

Table of Contents#

  1. Understanding .netrc and Git Authentication
  2. Common Causes of the "Still Prompting for Credentials" Issue
  3. Step-by-Step Fixes
  4. Verification Steps
  5. Troubleshooting Tips
  6. Conclusion
  7. References

Understanding .netrc and Git Authentication#

Before diving into the issue, let’s clarify what the .netrc file is and how Git uses it for authentication.

What is .netrc?#

The .netrc file (short for "network resource") is a plaintext file stored in your home directory (~/.netrc) that contains login credentials for remote servers. It’s traditionally used by command-line tools (like curl, ftp, or Git) to automatically authenticate with servers, eliminating the need to manually enter usernames and passwords.

How Git Uses .netrc#

Git can leverage the .netrc file for HTTP/HTTPS-based remote repositories (e.g., https://github.com/username/repo.git). When you run a Git command that interacts with the remote (e.g., git pull, git push, or git clone), Git checks the .netrc file for credentials matching the remote server’s domain (e.g., github.com). If valid credentials are found, Git uses them to authenticate silently.

Key Note: GitHub and Personal Access Tokens (PATs)#

Since August 2021, GitHub has deprecated password-based authentication for Git operations over HTTPS. Instead, you must use a Personal Access Token (PAT) as your "password" when authenticating with GitHub via HTTPS. This is critical: if you’re still using your GitHub password in .netrc, GitHub will reject the authentication, prompting you to re-enter credentials.

Common Causes of the "Still Prompting for Credentials" Issue#

If GitHub continues to prompt for credentials despite a .netrc file, one or more of the following issues is likely at play:

1. Incorrect Remote URL (SSH Instead of HTTPS)#

The .netrc file only works with HTTPS remote URLs. If your Git repository is configured to use an SSH remote (e.g., [email protected]:username/repo.git), Git will use SSH keys for authentication, ignoring .netrc entirely.

2. .netrc File Not in the Correct Location or Has Incorrect Permissions#

  • Location: The .netrc file must reside in your home directory (~/.netrc or /home/your_username/.netrc). Git won’t recognize it if it’s stored elsewhere (e.g., /tmp/.netrc).
  • Permissions: For security, .netrc must be readable only by you. If permissions are too open (e.g., readable by others), Git will ignore the file to prevent credential leaks. The correct permission is 600 (read/write for the user, no access for others).

3. Invalid .netrc Syntax or Content#

The .netrc file has strict syntax rules. Common mistakes include:

  • Incorrect machine value: The machine field must match the remote server’s domain (e.g., github.com for GitHub). Typos like github.com/ or www.github.com will fail.
  • Using a Password Instead of a PAT: As noted earlier, GitHub no longer accepts passwords for HTTPS Git operations. If your .netrc uses your GitHub password, authentication will fail.
  • Missing or Misplaced Fields: The .netrc entry for GitHub must include machine, login, and password fields in that order. Omitted or out-of-order fields will cause Git to ignore the entry.

4. Git Not Configured to Use .netrc#

By default, Git may not use the .netrc file unless explicitly configured to do so. If a different credential helper (e.g., cache, store, or OS-specific helpers like gnome-keyring) is enabled, Git might prioritize that over .netrc.

5. Conflicting Credential Helpers#

Git supports multiple credential helpers, and if another helper (e.g., git credential-cache or git credential-store) is active, it may override or interfere with .netrc. For example, if Git cached invalid credentials earlier, it might keep prompting for updates instead of using .netrc.

Step-by-Step Fixes#

Let’s address each cause with actionable solutions.

Step 1: Verify the Remote URL is HTTPS#

First, confirm your Git repository is using an HTTPS remote URL:

git remote -v

Expected Output (HTTPS):

origin  https://github.com/your_username/your_repo.git (fetch)
origin  https://github.com/your_username/your_repo.git (push)

If Using SSH (e.g., [email protected]:your_username/your_repo.git), update the remote to HTTPS:

git remote set-url origin https://github.com/your_username/your_repo.git

Step 2: Ensure .netrc is in the Correct Location with Proper Permissions#

Check Location#

Verify .netrc exists in your home directory:

ls -la ~/.netrc

If the file is missing, create it:

touch ~/.netrc

Fix Permissions#

Set permissions to 600 (critical for security and Git recognition):

chmod 600 ~/.netrc

Verify Permissions:

ls -la ~/.netrc
# Output should show: -rw------- 1 your_username your_username ... .netrc

Step 3: Correct .netrc Syntax and Content#

Edit the .netrc file with a text editor (e.g., nano, vim):

nano ~/.netrc

Add or update the entry for GitHub. Use the following template, replacing placeholders with your details:

machine github.com
login YOUR_GITHUB_USERNAME_OR_EMAIL
password YOUR_GITHUB_PAT

Key Details:#

  • machine: Must be github.com (no trailing slashes or www).
  • login: Can be your GitHub username, email, or even a dummy string (GitHub ignores this when using a PAT, but it’s required for syntax).
  • password: Must be your GitHub PAT (passwords are deprecated).

How to Generate a GitHub PAT#

If you don’t have a PAT:

  1. Go to GitHub’s PAT settings.
  2. Click "Generate new token" → "Generate new token (classic)".
  3. Add a note (e.g., "Ubuntu .netrc Auth"), set an expiration, and select scopes (minimum: repo for private repos, public_repo for public repos).
  4. Click "Generate token" and copy it immediately (it won’t be shown again).

Step 4: Configure Git to Use .netrc#

Tell Git to use the .netrc file by setting the credential.helper to netrc:

git config --global credential.helper netrc

If you only want this for the current repository (not globally), omit --global:

git config credential.helper netrc

Step 5: Disable Conflicting Credential Helpers#

Check for active credential helpers that might override .netrc:

git config --list | grep credential.helper

If you see entries like credential.helper=cache or credential.helper=store, unset them:

# For global config
git config --global --unset credential.helper
 
# For local repo config (if needed)
git config --unset credential.helper

Then re-enable the netrc helper (Step 4).

Step 6: Clear Stale Credentials#

If Git cached invalid credentials earlier, clear them to avoid conflicts:

# For cache helper (if previously used)
git credential-cache exit
 
# For store helper (deletes stored credentials)
rm ~/.git-credentials

Verification Steps#

Test if the issue is resolved by running a Git command that interacts with the remote (e.g., git pull, git push, or cloning a private repo):

# Example: Clone a private repo (replace with your private repo URL)
git clone https://github.com/your_username/your_private_repo.git

Expected Result: Git should authenticate silently without prompting for credentials.

Additional Checks#

  • Confirm Git is using the netrc helper: 
    git config --list | grep credential.helper
# Output should show: credential.helper=netrc
  • Verify .netrc permissions and content again to rule out typos.

Troubleshooting Tips#

If the issue persists, try these advanced steps:

Check for Hidden Characters in .netrc#

Use cat -v ~/.netrc to reveal hidden characters (e.g., Windows line endings ^M). If found, re-save the file with Unix line endings (in nano, use Ctrl+O, then Alt+D to disable DOS format).

Verify PAT Scopes#

Ensure your PAT has the necessary scopes (e.g., repo for private repos). Go to GitHub PAT settings, edit your token, and confirm scopes.

Update Git#

Older Git versions (pre-2.18) may have bugs with .netrc handling. Update Git:

sudo apt update && sudo apt upgrade git

Debug with GIT_TRACE#

Enable Git tracing to see why authentication is failing:

GIT_TRACE=1 git pull

Look for lines mentioning credential or netrc to identify errors (e.g., "netrc: could not find entry for github.com").

Conclusion#

The "GitHub still prompts for credentials with .netrc" issue on Ubuntu is typically caused by misconfigured remote URLs, incorrect .netrc permissions/syntax, deprecated passwords (instead of PATs), or conflicting credential helpers. By following the steps above—verifying the HTTPS remote, setting up .netrc with a PAT, configuring Git to use netrc, and disabling conflicting helpers—you can achieve seamless, password-less Git authentication.

References#

2025-12